Solved

Unable to access external website from desktops but can ping and access from server and from externals

Posted on 2014-11-17
32
114 Views
Last Modified: 2014-11-26
Hi all . I inherited a small network .
I am stumped by a problem and I hope you can help .
I have a website which can be accessed externally and i am able to ping and access from the server .
However when i attempt to access it from any desktops on my network I am unable to do so .
Will not display page .
I have done nslookups from both the server which works and from the desktop which doesn't.
They both resolve to the same adddess so it does not appear to be a dns issue .
When I launch tracert from the server it completes .
When I launch it from the desktops it times out before the final hop .
I am thinking it may be a firewall issue but I am unsure what I should do to verify this . Again since the server is able to resolve and ping the address I am stumped by this issue .
Thanks for your help
0
Comment
Question by:Andre P
  • 17
  • 9
  • 5
  • +1
32 Comments
 
LVL 12

Expert Comment

by:jkaios
Comment Utility
What type/version of OS is on the desktops?

Can you temporarily turn off the firewall on the desktops (if currently on) and test again?
0
 

Author Comment

by:Andre P
Comment Utility
Thank you so much for responding

Windows 7 is on the desktops and I have turned off firewalls no dice ... There is a sonic firewall on the network but since the server is able to receive pings .. I am not sure if it is a factor
0
 
LVL 12

Expert Comment

by:jkaios
Comment Utility
Accessing the server is different than pinging it.

What do you mean exactly by "external website"?  Is it a web server somewhere on the Internet and what is the address or IP?  What kind of web server - IIS, Apache, other?
0
 

Author Comment

by:Andre P
Comment Utility
its the companies web page .
The point is im able to browse the page externally and also internally from the sbs server only .
The desktops are unable to do so though . Nslookup shows the same non authorative (both on desktop and sbs server and externals) i know the DNS is resolving to the correct ip address . Then i tried to ping the address .. from the sbs server where it can be browsed ..ping works so icmp is being passed through the firewall at least to the server .I tried tracert and it was sucessful .

From the desktop ..internal when it fails .. i cannot ping and tracert gets to the last hop then times out and so i believe there is the beginning of the problem
i just dont know how to troubleshoot from there .
 .
0
 
LVL 12

Expert Comment

by:jkaios
Comment Utility
Is there any access restrictions on the web server that denies "certain" IP address range?

Is the SBS server on a static IP address?
0
 
LVL 12

Expert Comment

by:jkaios
Comment Utility
What's the exact error message on the desktop PCs?

Also can you try other browser like Firefox n Chrome on the desktop?
0
 
LVL 6

Expert Comment

by:Asif Bacchus
Comment Utility
Just to be clear, this website is hosted on an external server, not your SBS server, correct?
0
 

Author Comment

by:Andre P
Comment Utility
Its hosted internally
0
 

Author Comment

by:Andre P
Comment Utility
Sorry hosted by network solutions
0
 

Author Comment

by:Andre P
Comment Utility
So where we are is that none of the computers on the LAN except for the server can reach the website which is hosted externally .
the dns settings all resolve to the same ip address . Only the server can successfully ping that address.
All other machines time out at the final hop .( using tracert)
0
 

Author Comment

by:Andre P
Comment Utility
Page not found --Using Chrome ..
The SBS server is a static address
0
 
LVL 12

Expert Comment

by:jkaios
Comment Utility
Are the desktops using the same DNS address configuration as the SBS server?

Is it possible to provide the ip config /all of the desktops and the SBS server?
0
 
LVL 6

Expert Comment

by:Rob G
Comment Utility
Sounds like you have the bindings set for external access only..
I assume this is IIS.. can you tell me what version?

Is the binding set to an external only address?
Or is the Binding set to an internal address?
What does the DNS look like?
0
 
LVL 6

Expert Comment

by:Asif Bacchus
Comment Utility
If your website is hosted externally, then IIS bindings shouldn't matter on your end.  Do you have a DNS entry on your server corresponding to the website in question?  Are you forwarding the website from IIS back out to the external website instead of allowing direct access?  Are you using a firewall/gateway/router device and are they any restrictions as to outgoing traffic on that device for computers behind it?
0
 

Author Comment

by:Andre P
Comment Utility
Asif ,
I initally put a host entry in the forwarding zone
corresponding named www
and companyname.com
and the external ip address
ran ipconfig /flushdns
This did nothing.
then i changed the address to the server internal address.
I just got the IIs screen.
I deleted that .
There is a sonicwall device .
I do not know what to look for on there though
If you could let me know what entry I should be looking for that would help .
Thank you for your help .
0
 

Author Comment

by:Andre P
Comment Utility
Here is how the tracert looks .
and here is the ipconfig /all for desktop and server
Unable-to-access-www.company.com-from-wi
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:Asif Bacchus
Comment Utility
Since your website is hosted by an external company, and it's accessible from the internet by other computers, it means they are taking care of the DNS records.  Therefore, you should *not* have any entries whatsoever on your DNS relating to your external website.  Just let DNS resolution happen as it does for all other external websites.  If you have an entry in your DNS server, that is likely the problem.

Regarding your SonicWALL, I doubt there is any problem there.  But, to be sure, check your Firewall > Access Rules and makes sure you don't have outgoing access to your website IP (specifically) blocked from any internal IP source addresses.

Let me know if either of these steps help.
0
 

Author Comment

by:Andre P
Comment Utility
No entry in sonic wall ,
No entry in SBS DNS.
Of note typing in the website address on the browser .Brings up an IIS7 default screen .
Question :
If the tracert fails after that many hops just before the destination , Could that indicate the problem lies with the hosting service ?
What makes my brain itch is that the server itself can access the site .
What am i missing here .
Are there any tools to trace this ?
0
 
LVL 6

Expert Comment

by:Asif Bacchus
Comment Utility
Shot in the dark here:  Do you have any entries in the hosts file on the workstations that could be causing this?  Also, have you flushed the DNS cache on the workstations?  The fact that they are showing an IIS splash screen seems to suggest they are still trying to access the server.  Your local IIS and your corporate (external) website don't have the same DNS name, do they?
0
 

Author Comment

by:Andre P
Comment Utility
The server name is MLmain. Where would I double check if the IIS has the same name ?
0
 

Author Comment

by:Andre P
Comment Utility
Asif,
Flushed the DNS cache,
if the IIS had the same name would'nt NSlookup www.company.com resolve to the local server which would cause the problem ?
I am not sure where to look to verify that this isnt the case
Please Advise
0
 
LVL 6

Expert Comment

by:Asif Bacchus
Comment Utility
Yes, you would think that the nslookup would just resolve to the server at that point, but then again, we're just trying to rule things out at this point since this problem is a little strange on its own.  

Please check your forward lookup zones in your DNS to see if there is any mention of www.company.com.  There shouldn't be, since you are correctly using a .local domain for your network.  If it's in there, maybe take a screenshot so we can look at the settings.

I had another thought also.  Are all of your machines behind the SonicWALL?  Or does your server have one external IP and your workstations are using a different NAT'ed IP?
0
 

Author Comment

by:Andre P
Comment Utility
Asif ..
Hmm.
Well thats a thought ,,
Remote.company.com is set up on the server .
Remote Web services is set to use remote,company.com
How do I check if the Sonic has an external set strictly for the server ?
0
 
LVL 6

Expert Comment

by:Asif Bacchus
Comment Utility
remote.company.com is ok, that's pretty standard.  Instead of digging around SonicWALL, let's do something simpler.

1)   From your server, go to http://www.whatsmyip.org/ and note the IP address
2)   From one of your workstations, also go to http://www.whatsmyip.org/ and note the IP address

If (1) and (2) are the same, then we don't have separate IPs and you are NAT'ing the same address so that isn't a problem.  If you have different IPs then please post back and we'll discuss.

Do you mind me asking what your actual public website is?  I would like to take a look at it's DNS record and see if I can find any clues.  I assume since it's a public website, you wouldn't mind?  If you'd prefer, you could private message me on the site so it isn't posted here.
0
 

Author Comment

by:Andre P
Comment Utility
Assif,
They are different.
server is x.x.x.154
desktop is x.x.x.155
This is the first clue so far !!! Great !!!
What do I do next ?
0
 
LVL 6

Accepted Solution

by:
Asif Bacchus earned 500 total points
Comment Utility
At this point, I'd check with your hosting company to see if they are blocking the x.x.x.155 address for some reason.  I did not see anything glaringly obvious in the public DNS record or the site, aside from a mismatched SSL certificate, which is of no concern here.

As for checking more things on your end:  Since you've ruled out your local DNS and hosts files, I can't think of much else for you to check.  If something hits me later tonight, I'll update the post.
0
 

Author Comment

by:Andre P
Comment Utility
Wow !
Thanks so much for your help !  Will look into that also and keep you posted .
So there is no chance that  x.x.x.155 is somehow affected by the sonicwall ?
( I am not a sonic wall expert)
0
 
LVL 6

Expert Comment

by:Asif Bacchus
Comment Utility
No problem, hopefully we've got you on the path to resolving this issue!  

Regarding the second IP address, it is possible that your SonicWALL is the cause but since you didn't see any outgoing rules when you checked earlier, I really don't think so.

If you want to be totally sure, you can put one of your clients in a DMZ.  I'm going to assume you are using NAT mode.  If so, this is the procedure

1)   Log into your SonicWALL device
2)   Click Network > Interfaces
3)   Find an unassigned zone, click Configure
4)   Select DMZ from the Zone drop-down box.  Select Static from the IP Assignment drop-down
5)   Enter the IP address and subnet mask of one of your workstations
6)   Check an option next to Management to enable remote management of the DMZ
7)   Check HTTP/HTTPS next to user login
8)   Click OK

Your specified workstation should now be in a DMZ and have unrestricted internet access.  Verify this by going to http://www.whatsmyip.org/ from the workstation in the DMZ and noting it's IP.  Assuming it's still the x.x.x.155, then try accessing your public website.  At this point (since we are in a DMZ) the firewall is not blocking any traffic to that workstation and no rules are being applied.  So, if you can view the website, then your SonicWALL is indeed blocking the workstations.  If you cannot view the website still, then it has nothing to do with your SonicWALL.  If your address at  http://www.whatsmyip.org/ is not the x.x.x.155 address any more, then post back and let me know what it reports as your address.
0
 

Author Comment

by:Andre P
Comment Utility
Need to get permission to try this .
Will let you know .
0
 

Author Comment

by:Andre P
Comment Utility
Situation RESOLVED .!!!!
Special shout out to Assif .
Turns out the Ip address x.x.x.155 needed to be whitelisted at the hosting site .
Thank you so much for the help !
You guys were amazing !!
Never used this exchange before to help resolve an issue  .
Will be looking to pay it forward myself.
Thanks a million !
0
 
LVL 6

Expert Comment

by:Asif Bacchus
Comment Utility
It's always the little things, glad you got it sorted out!  Now, go enjoy your weekend! :-)
0
 

Author Comment

by:Andre P
Comment Utility
I've requested that this question be closed as follows:

Accepted answer: 0 points for Andre P's comment #a40456612

for the following reason:

The help received here allowed me to narrow it down .
Because the tracert timed out within the area covered b the host company we were able to determine that the problem lay there .
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now